[unisog] New exploit

We are seeing quite a bit of this. It seems to be Randex in its
various forms running around. It seems that for some odd reason McAfee
and NAV have some problems identifying these...I have no idea why, I
just accept it as fact :)
If you look at Randex and how it infects it also tries to copy itself
to shares (like C$, IPC$ and ADMIN$) which just happened to be enabled
by default in Win2k. So, if anybody is interested in specifics
(binaries etc...that I found on machines) feel free to email me.
I guess you can take confort in the fact that somebody else is seeing
this odd behavior as well.
-=Mike
On Tue, Nov 11, 2003 at 12:43:36PM -0500, Allison MacFarlan wrote:
> We are trying to identify something that is going on here, and wonder if you're
> seeing this at your campuses (all of them, not just one):
>> -waves of spoofed addresses trying to get out to various IPs and IRC locations
> (these get dropped, but they tie up the routers with traffic);
> -when a machine is examined, it has the executables characteristic of
> W32.Randex.Y,
> but the virus is not detected by NAV (no comments);
> -reports from all over that event logs are filling up with login attempts, both
> successes and failures, suggesting that a password cracker is also part of this
> package;
> -the machines that are examined are up-to-date with Windows patches and virus
> definitions, and the virus engine is working.
> --
> ++++---++++---++++---++++
> Allison S. MacFarlan
>allison.macfarlan at yale.edu> ITS Information Security Officer, AM&T
> Yale University
> ph: 203-432-6684
> bp: 203-370-0554
>http://www.yale.edu/its/security
--
_
_ Michael J. Sconzo
_ Computing & Information Services, Texas A&M University
The New Testament offers the basis for modern computer coding theory,
in the form of an affirmation of the binary number system.
But let your communication be Yea, yea; nay, nay: for
whatsoever is more than these cometh of evil.
-- Matthew 5:37